European Privacy Officials: Google, Yahoo, and Microsoft Are Still Breaking European Privacy Law

At a time when users regularly turn to search engines to find information on the Internet, search privacy is of paramount importance. The search terms you give to search engines can be used to compose a telling portrait of your interests and concerns, a fact that has led privacy advocates to call for greater protection for individual users.

That's why it's great news that European privacy officials from the Article 29 Data Protection Working Party" (WP29), which is an influential advisory body to the European Commission, have recently taken decisive action to push for stronger search engine privacy.

Recently, WP29 told the major search engines Google,Microsoft and Yahoo that their methods of making users' search data anonymous still do not comply with the European Union's Data Protection Directive, a legislative mandate requiring governments and businesses to protect citizens from indiscriminate collection, use, and disclosure of personal information. WP29 further requested that the search engines change their search data retention policies to comply with the recommended maximum period of 6 months.

This builds on an opinion WP29 issued in April 2008, concluding that search engines' data retention practices are, in fact, subject to the EU Data Protection Directive. To comply with the law, WP29 has stated that search companies must delete or anonymize search log data, including IP addresses and search queries, no later than six months after their collection (if not earlier), and ensure that the anonymized data cannot be linked back to an individual.

After WP29 issued the opinion in April 2008, the world's three largest search engines met with the European authorities to discuss data retention practices and search anonymization policies, and the companies responded with various privacy improvements.

At the time, Google announced that it would anonymize IP addresses in its server logs after nine months, instead of the previous 18-24 months. Since then, Google has indicated that in practice it deletes the last octet of collected IP addresses. Google retains other information, like cookies, for a period of 18 months. Yahoo announced that it would anonymize user log data, page views, clicks, ad views, and ad clicks within 90 days of collection, with limited exceptions for fraud, security, and legal obligations. Yahoo also announced that it would delete full IP addresses, rather than deleting merely the last octet. And this year, Microsoft announced that it will delete IP addresses associated with search queries six months after their collection, a reduction form the previous practice of retaining that data for 18 months. Microsoft's announced data retention policy goes further by endorsing "de-identification" (separation of search queries and account information, as well as anonymization of cookie information) as soon as a Bing search query is received. After 18 months, Microsoft then deletes cookie information, and any other cross-session IDs associated with the search query.

Last week's letters from WP29 essentially responded to this first round of changes from the search companies. WP29 told Yahoo that "a partial deletion of the personal data contained in search logs does not constitute true anonymization," and told Google that "deleting the last octet of the IP-addresses is insufficient to guarantee adequate anonymisation."

WP29 also urged Microsoft and Google "to review [their] retention policy, to bring it in line with the recommended period of a maximum of 6 months;" and urged the three search engines "to review [their] anonymization claims and make the process verifiable, preferably by developing a credible audit process involving an external and independent auditing entity. The actual techniques of anonymization deserve an open debate, open to public scrutiny."

EFF has recommended that online service providers collect the minimum amount of information for the minimum time that is necessary to perform their search engines operations, and to effectively obfuscate, aggregate and delete unneeded user information.

WP29 understands the risks inherent in search engines holding vast collections of search log data of individuals. EFF hopes that search companies will now reduce the search data retention period and make public their methods for data anonymization to allow Internet users to make informed choices about which services they will use, and to encourage the development of more privacy protections for search engine users. Citizens should have the ability to make searches on the Internet without fear that their deepest secrets might be accessed by the government or private parties, published to the world, or used for secondary purposes without consent. By irreversibly anonymizing or deleting search log data no later than six months after their collection (if not earlier), individuals can have greater certainty that the government and private parties cannot gain access to their historical search data. That would be a very welcome first step.

Related Updates

The latest news from Brussels: Italy is not happy with Article 13 or Article 11, and wants them gone. What is going on with Europe’s meme-filtering Article 13 (and the hyperlink-meddling Article 11)? After the proposals sneaked over the finish line in a close European Parliamentary vote in July, the...

EFF is introducing a new Coders' Rights project to connect the work of security research with the fundamental rights of its practitioners throughout the Americas. The project seeks to support the right of free expression that lies at the heart of researchers' creations and use of computer code to...

Brazil’s federal elections are set for October 7, 2018, but the fear that “fake news” online might unfairly interfere with the electoral process has been looming over the country for far longer than this year’s campaign. In June, the President of the Superior Electoral Court declared such interference ...

On September 13, after a five-year legal battle, the European Court of Human Rights said that the UK government’s surveillance regime—which includes the country’s mass surveillance programs, methods, laws, and judges—violated the human rights to privacy and to freedom of expression. The court’s opinion is the culmination of...

The Australian government has ignored the expertise of researchers, developers, major tech companies, and civil liberties organizations by charging forward with a disastrous proposal to undermine trust and security for technology users around the world. On September 10, the Australian government closed the window for receiving feedback about its ...

Five of the largest U.S. technology companies pledged support this year for a dangerous law that makes our emails, chat logs, online videos and photos vulnerable to warrantless collection by foreign governments. Now, one of those companies has voiced a meaningful pivot, instead pledging support for its users...

A decade ago, before social media was a widespread phenomenon and blogging was still a nascent activity, it was nearly unthinkable outside of a handful of countries—namely China, Tunisia, Syria, and Iran—to detain citizens for their online activity. Ten years later, the practice has become all too common, and remains...

Despite waves of calls and emails from European Internet users, the European Parliament today voted to accept the principle of a universal pre-emptive copyright filter for content-sharing sites, as well as the idea that news publishers should have the right to sue others for quoting news items online –...

Earlier this week, we joined with Human Rights Watch, Amnesty International, Article 19, and 10 other international human rights groups in a letter to Google’s senior leadership, calling on the company to come clean on its intentions in China – both to the public, and within the company...